Data security breach is an increasingly serious problem for data-intensive industries of all kinds. Recent research shows that 90 per cent of all large organizations—including insurance carriers—suffered cyber security breaches in 2015, up from 81 per cent in 2014. Moreover, cybersecurity breaches are becoming more frequent and more expensive; according to the Ponemon Institute’s latest study on cybersecurity, the average consolidated cost of a data breach grew from USD 3.8 million to USD 4 million.

The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from USD 154 to USD 158.2.

“This is something that insurers need to pay careful attention,” said Michael Macauley, CEO of Quadrant Information Services, a supplier of pricing analytics services to property and casualty insurance carriers, in a press statement.

“As an industry, insurers tend to believe that their data—and with it, the trust of their policyholders—is secure. At one time, that might have been a reasonable assumption; but insurance, which is now a high-tech industry, is just as vulnerable to attacks by hackers as are banking, retail, entertainment, and the other categories of enterprise that have been hit with this problem.”

Macauley noted that in bolstering their cybersecurity programs, insurers should be vigilant in protecting not only against external vulnerabilities, but internal ones as well. “One factor is simple employee negligence, a lot of which can be ameliorated by training. For instance, if an employee gets a phishing email—and everybody does from time to time—they need to know that they should never, under any circumstances, click on the link. If they’re in an open office and in the course of their work they access data of different types with different passwords, they need to know that they should never keep a Post-it note on their desk with the passwords on it.”

Macauley also cautioned that increased employee awareness and better training are not enough. Citing the latest Ponemon Institute study, he pointed out that at least 35 per cent of cyber breaches happen due to system or business process failures. As he put it, “By its nature, building business processes tends to be reactive: we put a process in place because a problem has occurred, and we think this will solve it. What we need to do now, particularly with data security, is to look at problems that might arise—before they happen—and put something in place to prevent them.”

Such planning is particularly important in light of the trend that uses telematics (constant monitoring) as a basis for setting insurance rates. While this seemed like science fiction a few years ago, it’s now a rapidly growing reality. Health insurance carriers are using wearable technologies, such as Fitbit or Jawbone, to monitor policyholders’ weight and exercise habits; auto insurers are installing monitoring devices in cars and rewarding policyholders who drive less and don’t speed; and similar innovations are in the works for other types of coverage. This is what’s called “the Internet of things,” where refrigerators, home heating systems, cars, alarm systems and heart rate monitors communicate directly with each other.

Cisco Systems estimates that by 2020, there will be as many as fifty billion such devices, all sending and receiving data. In Quadrant’s view, this is a very good step, overall, for both policyholders and the insurance industry. However, it represents a vast amount of very personal information, which represents a significant risk for insurers if it should be misappropriated or misused.

What all this means is that progress in big data and in security must go hand-in-hand. “It’s not enough to just put in firewalls; to create a data environment that can securely maintain this type of sensitive information, the industry needs to reshape the way it thinks about itself. We need to move—and quickly—to a truly security-centric business model,” he added.